DV CA & IP Certificates

TL;DR

No, a Domain Validated (DV) Certificate Authority (CA) cannot issue an IP certificate. DV CAs verify control of a domain name, not direct ownership or control of an IP address. You need an Organisation Validated (OV) or Extended Validation (EV) CA for IP certificates.

Understanding the Difference

Certificates come in different types based on how thoroughly the issuing CA checks your identity and control over the resource being secured. Here’s a breakdown:

• Domain Validated (DV): The CA simply confirms you control the domain name. This is usually done via email verification or DNS record changes.
• Organisation Validated (OV): The CA verifies your organisation’s existence and legitimacy, often through business registration documents.
• Extended Validation (EV): The most rigorous check; the CA performs extensive identity verification before issuing the certificate.

IP certificates require verifying control of an IP address or network block, which falls outside the scope of DV validation.

Why DV CAs Can’t Issue IP Certificates

1. Validation Method: DV CAs are designed to validate domain ownership. They don’t have processes for verifying IP address control.
2. IP Address Ownership is Complex: An IP address isn’t necessarily owned by a single entity. It can be leased, shared, or part of a larger network managed by an Internet Service Provider (ISP). DV validation can’t reliably determine who has legitimate authority over an IP address.
3. Security Risks: Allowing DV CAs to issue IP certificates would create significant security risks. Someone could fraudulently obtain a certificate for an IP address they don’t control, enabling man-in-the-middle attacks.

How to Get an IP Certificate

1. Choose an OV or EV CA: Select a Certificate Authority that offers IP certificates and performs Organisation Validation (OV) or Extended Validation (EV). Popular CAs include DigiCert, Sectigo, and GlobalSign.
2. Submit Verification Documents: The CA will require documentation to prove your organisation’s identity and control over the IP address block you want to secure. This might include:
   • Business registration documents
   • Proof of physical address
   • Authorisation letters from network administrators
   • IP address allocation records (e.g., RIR documentation)
3. Generate a Certificate Signing Request (CSR): Create a CSR on your server using OpenSSL or a similar tool.

   openssl req -new -keyout example.key -out example.csr

4. Submit the CSR to the CA: Upload the generated CSR to the CA’s portal.
5. Complete Validation Process: The CA will review your documentation and may contact you for further verification.
6. Install the Certificate: Once validated, download the IP certificate and install it on your server.

Checking an IP Certificate

You can use OpenSSL to verify an IP certificate:

openssl s_client -connect :443

Look for the ‘Subject Alternative Name’ field in the output. It should list the IP addresses covered by the certificate.